We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

How to Make the Client IP Address Available to the Back-end Server in Proxy Mode

  • Last updated on

When deployed in proxy mode, by default the Barracuda Web Application Firewall appears as the source IP address in the requests it forwards to the back-end servers. For servers on the back-end needing to access the actual client IP address, the Barracuda Web Application Firewall provides two configurable ways to achieve this:

  • Client Impersonation
  • X-Forwarded-For Header

While both of these options provide the Client IP address to the servers, you should consider the following before deciding which option to use:

Client ImpersonationX-Forwarded-For Header

Provides the Client IP address in the Source IP address of the request.

Requires a networking change.

Performance impact.

Provides the Client IP address in the Header "X-Forwarded-For" of the Request.

Requires a logging change.

 

To Use the Client IP address from the X-Forwarded-For Header

By default, the Client IP Address is inserted by the Barracuda Web Application Firewall in the request Header "X-Forwarded-For" when the request is forwarded to the back-end server. 

To use the embedded IP Address with Apache servers or with IIS 7 or IIS 7.5 servers, refer to the following articles:

How to Log Client IP Address when the Barracuda Web Application Firewall is Deployed Behind a Proxy

If the Barracuda Web Application Firewall is deployed behind a Proxy server, all requests have their client IP address as the address of the Proxy server, which is logged as the Client IP on the BASIC > Access Logs page. To log the actual client IP address, specify the header name appended by the Proxy server which contains the actual client IP address in the Header for Client IP Address field on the BASIC > Services page. 

Steps To Configure the Header Name:

  1. Edit the Service from the BASIC > Services page.
  2. Scroll down to the Basic Security section and specify the header name in the Header for Client IP Address field. The standard headers used to store the actual client IP address are:

If the Proxy is appending a custom header, then specify that header in the Header for Client IP Address field.

When a request is received, the Barracuda Web Application Firewall gets the actual client IP address from the specified header and displays it in the Client IP field of the Access Logs.

For example, consider the client IP addresses  174.15.230.2 and 174.15.230.3, and proxy IP address 174.15.230.254. When the client sends a request, the proxy receives the request and stores the IP address of the client in the X-Forwarded-For or X-Client-IP header, and forwards the request to the Barracuda Web Application Firewall. The Barracuda Web Application Firewall extracts the client IP address from the specified header and displays it in the Access Logs.

Scenario 1:

x_forwarded_for-01.png

Scenario 2:

x_forwarded_for_1-01.png

Last updated on